ExamTopics Logo
Mail Us[email protected]
Menu
Isaca Discussions
exam questions

Exam CISM All Questions

View all questions & answers for the CISM exam
Go to Exam

Exam CISM topic 1 question 629 discussion

Actual exam question from Isaca's CISM
Question #: 629
Topic #: 1
[All CISM Questions]

A high-risk issue is discovered during an information security risk assessment of a legacy application. The business is unwilling to allocate the resources to remediate the issue. Which of the following would be the information security manager’s BEST course of action?

  • A. Document risk acceptance from the business.
  • B. Recommend discontinuing the use of the legacy application.
  • C. Design alternative compensating controls to reduce the risk.
  • D. Present the worst-case scenario related to the risk.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by aokisan at Dec. 24, 2022, 5 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Salilgen
Highly Voted 10 months, 1 week ago
Selected Answer: D
"The business is unwilling to allocate resource to remediate the issue". Then, you don't even have resource for alternative compensating controls. Discontinuing the use of the legacy application is another way to solve the problem but it also requires resources. Then, I would present the worst case scenario to the business manager and if they still don't want to allocate resources I would document the risk acceptance.
upvoted 6 times
...
d7a2ba6
Most Recent 3 weeks, 3 days ago
Selected Answer: C
"The business is unwilling to allocate the resources to remediate the issue." They should be already aware of the issue and its consequences, so D should be in the past. I go for C.
upvoted 1 times
...
ATT5832
1 month, 3 weeks ago
Selected Answer: C
IMO, the term remediate means to correct or resolve the issue. Business is unwilling to do so. That still leaves the door open to compensating controls.
upvoted 1 times
...
Infosecnerd
4 months, 3 weeks ago
Its C This approach allows you to manage the risk within the constraints imposed by the business, providing a balance between risk management and resource allocation.
upvoted 1 times
...
yottabyte
9 months, 2 weeks ago
Selected Answer: D
@Salilgen, you are spot on.
upvoted 2 times
...
POWNED
11 months, 3 weeks ago
Selected Answer: C
With isaca you have to always be aware of the key all cap words in the question. For this question it is "BEST", not "FIRST". With this reasoning the best answer is C.
upvoted 1 times
...
secdoc
1 year, 3 months ago
It doesn't say reluctant, it says unwilling. Any time spent by a resource going forward, which includes designing compensating controls is in direct defiance of the business decision. It is A
upvoted 4 times
...
Kunzle
1 year, 4 months ago
Selected Answer: A
If the business understands the risks associated with the legacy application and still decides not to allocate resources for its remediation, it is crucial to obtain and document formal risk acceptance from relevant business stakeholders. This ensures that the decision is well-informed, and accountability is clear.
upvoted 2 times
Marcelus1714
11 months, 1 week ago
It says "they don't want to allocate resources to remediate it", it does not say that they want to accept the risk, if they don't want to allocate resoruces the BEST would be to propose alternatives to them, right?
upvoted 1 times
Marcelus1714
11 months, 1 week ago
so I go for C
upvoted 1 times
...
...
MacDanorld
1 year, 3 months ago
I don't think reluctance to allocate resources can be interpreted to mean accepting the risk, the reluctance could be as a result of many things including budgeting but does not mean acceptance in my opinion
upvoted 1 times
...
...
oluchecpoint
1 year, 4 months ago
Selected Answer: A
Documentation of Risk Acceptance: When a high-risk issue is discovered, and the business is unwilling to allocate resources for remediation, it's crucial to formally document their decision to accept the risk. This documentation serves as a record of the business's awareness of the risk and their decision not to mitigate it. It also helps in clarifying responsibilities and accountabilities.
upvoted 1 times
...
Goseu
1 year, 5 months ago
Selected Answer: C
C looks right
upvoted 1 times
...
richck102
1 year, 6 months ago
C. Design alternative compensating controls to reduce the risk.
upvoted 2 times
...
dark_3k03r
1 year, 8 months ago
Selected Answer: C
I concur with Cal on this. It's about the best action, not the first action.
upvoted 3 times
...
CarlPTY07
1 year, 10 months ago
Selected Answer: C
Read the question: The BEST action is C. Obviously the first action is A,
upvoted 4 times
...
cangurer
1 year, 10 months ago
The BEST action is C I think, the FIRST action would be A
upvoted 3 times
...
Broesweelies
1 year, 11 months ago
Selected Answer: A
A. Document risk acceptance from the business.
upvoted 2 times
...
MyKasala
1 year, 11 months ago
Selected Answer: A
A is correct
upvoted 1 times
...
aokisan
2 years ago
Selected Answer: D
at first, provide worst scenario, then need to implement the remediation.
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago